goscuter1 Posted March 11, 2011 Report Share Posted March 11, 2011 Hi, the symptoms of the malware are extensive and varied. It presented 3 weeks ago a day after a Dell service technician replaced my laptop hard drive with a brand new one, and then installed non-existent firmware on it. Dell are refusing to comment aside from offering to refund my laptop's purchase price. Upon noticing how fast my laptop was running after the Dell scum left, I formatted my desktop and another laptop's hard drives, and installed Win7 from a flash drive I created on the Dell. The next day, everything went to sh.t. The first peculiar thing I noticed was some applications on my desktop refusing to run when I double-clicked on them. Messages would pop up saying I didn't have permissions and to contact my Administrator (I am always logged in as Administrator). I tried to uninstall / delete but unable to. I tried d/l'ing Revo Uninstaller and the .exe file was deleted immediately upon install. The same thing happened with most AV 'solutions' and malware scan utilities. I had been running MS Security Essentials and iObit 360 and both were running through full scans saying everything was peachy. I uninstalled oBit's software fine, but MS Security Essentials was impossible to get rid of. I noticed a Windows Service for MS Security Essentials but I could not Stop or Disable it as everything was greyed out. Trying to manually delete files, I noticed most of my desktop's applications had strange permissions added. To start with, Trusted Installer had become the owner for most of them, and I was unable to reclaim ownership as Administrator as Trusted Installer had also taken over Audit and Special Permissions for my C: drive as Creator Owner. There were also a lot of listed Permissions for User S-1-21-xxx (long hash code) etc, on almost every executable file. I formatted using the Win7 Ultimate genuine discs and installed Trend Micro Titanium, which was immediately patched and I had similar problems getting rid of that to try other AV 'solutions'. Webroot went the same way. ESET was even worse, running through Full scans saying everything was fine, whilst Firewall rules were being added to let in the hacker-world-at-large. Forum 'experts' have proved painfully slow, utterly clueless, surprisingly dull and creepily pathetic, in their nauseating refusal to address pointed queries and their shameful willingness to simply declare anything they don't understand is 'fine', whilst they ignore detected rootkits which haven't been cleaned on my system but simply no longer show on scans. They have pronounced my systems clean on the basis of a Malwarebytes clean scan (which has said everything is fine, on every scan from the start), ignoring the fact that Gmer's first ever scan result was unaddressed... ---- Services - GMER 1.0.15 ---- Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ---- ...or the tens of thousands of Errors/Warnings being logged... ComboFix and RKill result in BSODs pretty much every time: Microsoft tech support are either hilariously incompetent or just simply vile. They receive the evidence I send them, then claim they didn't. They've accused me of imagining it all, and advised me to quickly report it to the "Cyber Police". They're idiots (and that's really being diplomatic). Frustrated and out of ideas, with one hard drive destroyed (admitted possibly by frustrated uninstalls of hidden non-plug&play drivers I did en masse one day), I purchased a new hard drive and low-level formatted (dban) my laptop's hard drive. I flashed the BIOS on each hard drive, and with all network adapters deactivated, I then installed Win7 Ultimate onto the 'clean' hard drives with the same Win7 genuine advantage disc. Before going online, I installed McAfee Total Protection, and then individually took each system online to download the latest of Microsoft's endless security patches for the thousands of exploitabilities in their retarded OS. With everything more or less stable for 3-4 days following the huge effort, I breathed a sigh of relief. Which turned into a furious scream yesterday, when I realised Windows Update was refusing to...Update. Critical security patches were deemed unnecessary, and I have to manually download and install them. They patch nothing, which isn't surprising. Every time I do a command line scan with System File Checker, corrupted system files are found and replaced. Hours later, they're all corrupted again and sfc /scannow 'fixes' them all again. Back and forth. I think I've finally worked out what's corrupting them, but I don't have a clue how to address it. Somehow the 8 hour low-level format I conducted (prior to flashing the BIOS) on my Latitude didn't affect the cbs.log as it's showing logs from a fortnight before the low-level format. I thought that was impossible? In each cbs.log, I have endless repetitions of activity which are highly suspect. I don't know 100% which sections are or aren't logs of legitimate activity (and I would wager a lot neither do Microsoft, which explains why they are useless / refuse to assist). But I'm pretty sure I can finger some parts which are *not* legit. In my desktop cbs.log, the only "clients" which initialize sessions are: SPP (a few times) WindowsUpdateAgent (00's or 000's of times) In my laptop cbs.log, the following "clients" initialize sessions: DISM Package Manager Provider (x 2) lpksetup (x 20) WindowsUpdateAgent (x 00's or 000's) Software Explorer (x 20) SPP (x 7) I think the lpksetup client sessions are highly suspect. Although I'm basing that primarily on this thread below and because I can't think of a legitimate reason for silent language pack operations to be occurring. http://seclists.org/fulldisclosure/2010/Oct/374 Exploit: Windows 7 lpksetup.exe (oci.dll) DLL Hijacking Vulnerability Extension: .mlc Author: Tyler Borland Date: 10/20/2010 Tested on: Windows 7 Ultimate Effect: Remote Code Execution My cbs.log files are many tens of thousands of lines / pages from only the last 3 weeks. But after a sfc /scannow clean, I turned on my laptop the next day and stuff started happening silently pretty much instantly without any prompt or signal whatsoever. I then ran another sfc scan and it replaced all the corrupted system files. The cbs.log excerpt for those two events only (20 min apart) are here: http://justpaste.it/98y 10 min after SFC replaced all the corrupted files in the excerpt above, the silent process kicked into gear again, uploading corrupted replacements from the offline registry hive. I ran SFC again, even more corrupted files cleaned and replaced. Around and around we go...switched-off computers are waking up on their own accord, and it creeps me out. MBAM / SAS couldn't find a prostitute in a brothel. I seriously think they're both redundant and worthless. Immunet isn't really working at the moment, screenshot: Immunet Rootkit Scan The requested HijackThis log is below: Logfile of Trend Micro HijackThis v2.0.4Scan saved at 11:45:37 PM, on 11/03/2011 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8080.16413) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\taskeng.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Users\goscuter1\Desktop\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: XmarksThumbnailsDLLBHO - {1BD0BEFE-F697-4eee-B7E1-76B849A5CB84} - C:\Program Files\Xmarks\Thumbnails for IE\xmarksthumbnails.dll O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110310171744.dll O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Users\goscuter1\AppData\Roaming\LastPass\LPBar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - (no file) O2 - BHO: WRCommonBHO - {D93EC24D-8741-4D41-B83D-A5793B998416} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Users\goscuter1\AppData\Roaming\LastPass\LPBar.dll O3 - Toolbar: (no name) - {97ab88ef-346b-4179-a0b1-7445896547a5} - (no file) O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Kaspersky Security Scan.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html O8 - Extra context menu item: LastPass - file://C:\Users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=lastpass O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=fillforms O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Users\goscuter1\AppData\Roaming\LastPass\LPBar.dll O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU) O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU) O9 - Extra button: Betway.com Casino - {8f5dc89b-70e1-48b3-a760-7b77aac47207} - https://betway.gameassists.co.uk/betway/Default.aspx?gameID=Lobby (file missing) (HKCU) O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Immunet 3.0 (ImmunetProtect) - Sourcefire, Inc. - C:\Program Files\Immunet Protect\3.0.0\agent.exe O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe -- End of file - 6934 bytes Link to comment Share on other sites More sharing options...
goscuter1 Posted March 11, 2011 Author Report Share Posted March 11, 2011 Mostly out of boredom, I tried a ComboFix scan again. After the malware blocked it a few times saying it wasn't compatible with Vista or 7, I tried it in Safe Mode and it ran through it's 70 stages or w/e and delivered a logfile - anything of value/interest in this huge log? ComboFix 11-03-10.04 - goscuter1 12/03/2011 2:01.1.2 - x86 NETWORKMicrosoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.3572.2805 [GMT 7:00] Running from: c:\users\goscuter1\Desktop\agssgf.exe AV: Immunet 3.0 *Disabled/Updated* {E26D838D-778A-C93D-0B41-46E786995C11} AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637} FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C} SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 ))))))))))))))))))))))))))))))) . . 2011-03-11 19:04 . 2011-03-11 19:04 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-03-11 18:55 . 2011-03-11 18:55 -------- d-----w- c:\programdata\Rcleaner 2011-03-11 18:54 . 2011-03-11 18:54 -------- d-----w- c:\program files\Rcleaner Rogue Remover 2011-03-10 11:32 . 2011-03-10 11:32 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files 2011-03-10 11:09 . 2011-03-10 11:09 -------- d-----w- c:\program files\Kaspersky Security Scan 2011-03-10 11:08 . 2011-03-10 11:08 -------- d-----w- c:\programdata\WinZip 2011-03-10 10:07 . 2011-03-10 10:07 31952 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys 2011-03-10 10:07 . 2011-03-10 10:07 47440 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys 2011-03-10 10:02 . 2011-03-10 10:02 -------- d-----w- c:\program files\NirSoft 2011-03-10 08:50 . 2011-03-10 08:50 -------- d-----w- C:\Casino 2011-03-10 02:26 . 2011-03-10 02:26 -------- d-----w- c:\program files\Common Files\Adobe 2011-03-10 02:23 . 2011-03-10 10:08 -------- d-----w- c:\programdata\Immunet 2011-03-10 02:22 . 2011-03-11 19:07 -------- d-----w- c:\program files\Immunet Protect 2011-03-10 02:20 . 2011-03-10 07:13 -------- d-----w- c:\programdata\Google Updater 2011-03-10 02:20 . 2011-03-10 02:25 -------- d-----w- c:\program files\Google 2011-03-09 15:10 . 2011-03-09 15:10 -------- d-----w- c:\programdata\McAfee Security Scan 2011-03-09 14:49 . 2010-10-13 15:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-03-09 14:49 . 2010-10-13 15:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-03-09 14:49 . 2010-10-13 15:28 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys 2011-03-09 14:49 . 2010-10-13 15:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-03-09 14:49 . 2010-10-13 15:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-03-09 14:49 . 2010-10-13 15:28 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys 2011-03-09 14:49 . 2010-10-13 15:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-03-09 14:49 . 2010-10-13 15:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-03-09 14:49 . 2011-03-09 14:50 -------- d-----w- c:\program files\Common Files\Mcafee 2011-03-09 14:49 . 2011-03-09 15:01 -------- d-----w- c:\program files\McAfee 2011-03-09 14:38 . 2010-10-13 15:28 141792 ----a-w- c:\windows\system32\mfevtps.exe 2011-03-09 10:35 . 2011-03-09 10:35 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2 2011-03-09 09:45 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll 2011-03-09 09:45 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll 2011-03-09 09:45 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll 2011-03-09 04:29 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll 2011-03-09 04:29 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll 2011-03-09 04:29 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll 2011-03-09 04:29 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax 2011-03-06 03:31 . 2011-03-09 15:10 -------- d-----w- c:\program files\McAfee Security Scan 2011-03-06 02:22 . 2010-04-13 13:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys 2011-03-06 02:22 . 2011-03-06 02:22 -------- d-----w- c:\program files\McAfee Online Backup 2011-03-06 02:20 . 2011-03-09 13:24 -------- d-----w- c:\programdata\NVIDIA 2011-03-06 02:18 . 2011-01-08 03:27 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll 2011-03-06 02:18 . 2011-01-08 03:27 15047272 ----a-w- c:\windows\system32\nvoglv32.dll 2011-03-06 02:18 . 2011-01-08 03:27 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys 2011-03-06 02:18 . 2011-01-08 03:27 10078312 ----a-w- c:\windows\system32\nvd3dum.dll 2011-03-06 02:18 . 2011-01-08 03:27 4941928 ----a-w- c:\windows\system32\nvcuda.dll 2011-03-06 02:18 . 2011-01-08 03:27 2895976 ----a-w- c:\windows\system32\nvcuvid.dll 2011-03-06 02:18 . 2011-01-08 03:27 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll 2011-03-06 02:18 . 2011-01-08 03:27 1965672 ----a-w- c:\windows\system32\nvapi.dll 2011-03-06 02:10 . 2011-03-06 02:19 -------- d-----w- c:\programdata\NVIDIA Corporation 2011-03-06 02:09 . 2011-01-08 03:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll 2011-03-06 02:09 . 2011-01-08 03:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll 2011-03-06 02:09 . 2011-01-08 03:27 57960 ----a-w- c:\windows\system32\OpenCL.dll 2011-03-06 02:09 . 2011-01-08 03:27 13011560 ----a-w- c:\windows\system32\nvcompiler.dll 2011-03-06 02:08 . 2011-03-10 09:20 -------- d-----w- c:\program files\NVIDIA Corporation 2011-03-06 02:08 . 2011-03-06 02:08 -------- d-----w- C:\NVIDIA 2011-03-06 00:50 . 2011-03-06 01:52 -------- d-----w- c:\programdata\AVAST Software 2011-03-06 00:50 . 2011-03-06 00:50 -------- d-----w- c:\program files\AVAST Software 2011-03-06 00:08 . 2011-03-06 00:08 -------- d-----w- c:\program files\UltraISO 2011-03-06 00:08 . 2011-03-06 00:08 -------- d-----w- c:\program files\Common Files\EZB Systems 2011-03-05 17:25 . 2011-03-05 17:27 -------- d-----w- c:\program files\TweakNow PowerPack 2011 2011-03-05 17:19 . 2011-02-23 02:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B3B99559-E40D-49FE-A08C-93E928E2D9A3}\mpengine.dll 2011-03-03 03:38 . 2011-03-05 18:22 -------- d-----w- c:\program files\CMAK 2011-03-02 19:51 . 2011-02-15 07:36 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys 2011-03-02 19:51 . 2011-02-15 07:36 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys 2011-03-02 19:51 . 2011-02-15 07:36 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys 2011-03-02 19:51 . 2011-02-15 21:11 116592 ----a-w- c:\windows\system32\drivers\pwipf6.sys 2011-02-26 03:57 . 2011-02-26 03:57 -------- d-----w- c:\program files\Common Files\Skype 2011-02-26 03:56 . 2011-03-05 17:08 -------- d-----r- c:\program files\Skype 2011-02-26 03:56 . 2011-02-26 03:56 -------- d-----w- c:\programdata\Skype 2011-02-26 03:44 . 2011-02-26 03:45 -------- d-----w- c:\program files\Trillian 2011-02-25 22:56 . 2011-02-25 08:01 -------- d-----w- c:\windows\Panther 2011-02-25 20:56 . 2011-02-25 20:57 -------- d-----w- c:\program files\VPNSecureMe 2011-02-25 20:34 . 2011-02-25 20:34 -------- d-----w- c:\program files\Common Files\Java 2011-02-25 20:34 . 2011-02-25 20:34 -------- d-----w- c:\program files\Java 2011-02-25 20:06 . 2011-02-25 20:07 -------- d-----w- c:\program files\OpenVPN 2011-02-25 19:50 . 2011-02-05 06:20 94208 ----a-w- c:\program files\Internet Explorer\th\iediag.resources.dll 2011-02-25 17:53 . 2011-03-04 01:45 -------- d-----w- c:\program files\Full Tilt Poker 2011-02-25 17:38 . 2011-02-25 17:39 -------- d-----w- c:\program files\Xmarks 2011-02-25 15:42 . 2011-03-05 15:41 -------- d-----w- c:\programdata\boost_interprocess 2011-02-25 15:08 . 2011-02-25 15:08 -------- d-----w- c:\programdata\Trend Micro 2011-02-25 14:05 . 2011-02-25 14:05 -------- d-----w- c:\program files\Microsoft Silverlight 2011-02-25 12:57 . 2011-02-25 15:21 -------- d-----w- c:\program files\ImageShack Uploader 2011-02-25 12:14 . 2011-02-25 12:17 -------- d-----w- c:\program files\Wave Systems Corp 2011-02-25 12:14 . 2011-02-25 12:14 -------- d-----w- c:\windows\system32\Test 2011-02-25 12:14 . 2011-02-25 13:31 -------- d-----w- c:\programdata\Wave Systems Corp 2011-02-25 12:14 . 2011-02-25 12:14 -------- d-----w- c:\windows\Downloaded Installations 2011-02-25 12:12 . 2011-02-25 12:12 -------- d-----w- c:\programdata\NTRU Cryptosystems 2011-02-25 12:10 . 2011-02-25 12:10 -------- d-----w- c:\windows\system32\drivers\th-TH 2011-02-25 12:10 . 2011-02-25 19:51 -------- d-----w- c:\windows\system32\wbem\th-TH 2011-02-25 12:10 . 2011-02-25 12:10 -------- d-----w- c:\windows\th-TH 2011-02-25 12:04 . 2011-02-25 12:04 -------- d-----w- c:\program files\Microsoft.NET 2011-02-25 11:33 . 2011-02-25 11:33 -------- d-----w- c:\programdata\Dell 2011-02-25 11:14 . 2011-02-25 11:14 -------- d-----w- c:\windows\system32\SPReview 2011-02-25 11:13 . 2011-02-25 11:13 -------- d-----w- c:\windows\system32\EventProviders 2011-02-25 10:59 . 2010-11-05 01:58 1130824 ----a-w- c:\windows\system32\dfshim.dll 2011-02-25 10:59 . 2010-11-20 12:19 53760 ----a-w- c:\windows\system32\LSCSHostPolicy.dll 2011-02-25 10:59 . 2010-11-20 10:24 52224 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys 2011-02-25 10:59 . 2010-11-20 12:21 11776 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll 2011-02-25 10:59 . 2010-11-20 12:19 3215872 ----a-w- c:\windows\system32\mstscax.dll 2011-02-25 10:59 . 2010-11-20 12:18 1171456 ----a-w- c:\windows\system32\d3d10warp.dll 2011-02-25 10:59 . 2010-11-20 12:21 120320 ----a-w- c:\windows\system32\tssrvlic.dll 2011-02-25 10:59 . 2010-11-20 12:19 954752 ----a-w- c:\windows\system32\mfc40.dll 2011-02-25 10:59 . 2010-11-20 12:19 954288 ----a-w- c:\windows\system32\mfc40u.dll 2011-02-25 10:59 . 2010-11-20 12:17 80896 ----a-w- c:\windows\system32\RDVGHelper.exe 2011-02-25 10:57 . 2010-11-20 12:30 3911040 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-02-25 10:56 . 2010-11-20 12:17 280576 ----a-w- c:\windows\system32\spreview.exe 2011-02-25 10:55 . 2010-11-20 12:18 1792000 ----a-w- c:\windows\system32\authui.dll 2011-02-25 10:54 . 2010-11-20 12:19 304640 ----a-w- c:\windows\system32\gdi32.dll 2011-02-25 10:53 . 2010-11-20 12:20 1508864 ----a-w- c:\windows\system32\pla.dll 2011-02-25 10:52 . 2010-11-20 12:30 173440 ----a-w- c:\windows\system32\drivers\rdyboost.sys 2011-02-25 10:51 . 2010-11-20 12:18 210432 ----a-w- c:\windows\system32\dxdiagn.dll 2011-02-25 10:50 . 2010-11-20 12:20 28672 ----a-w- c:\windows\system32\profprov.dll 2011-02-25 10:49 . 2009-12-15 02:31 260712 ----a-w- c:\windows\system32\nViewSetup.exe 2011-02-25 10:48 . 2011-02-25 10:48 -------- d-----w- c:\windows\system32\SRSLabs 2011-02-25 10:48 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll 2011-02-25 10:48 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll 2011-02-25 10:48 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll 2011-02-25 10:48 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll 2011-02-25 10:48 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll 2011-02-25 10:48 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll 2011-02-25 10:48 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe 2011-02-25 10:48 . 2009-12-15 02:31 795104 ----a-w- c:\windows\system32\dpinst.exe 2011-02-25 10:47 . 2009-12-15 02:31 592488 ----a-w- c:\windows\system32\nvudisp.exe 2011-02-25 10:47 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll 2011-02-25 10:47 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll 2011-02-25 10:47 . 2009-12-15 02:31 256616 ----a-w- c:\windows\system32\nvdecodemft.dll . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-25 11:41 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll 2011-01-11 15:04 . 2011-01-11 15:04 183296 ----a-w- c:\windows\system32\Ncs2Setp.dll 2011-01-11 14:56 . 2011-01-11 14:56 659576 ----a-w- c:\windows\system32\ncs2dmix.dll 2011-01-11 14:56 . 2011-01-11 14:56 514168 ----a-w- c:\windows\system32\accesor.dll 2011-01-11 14:25 . 2011-01-11 14:25 135288 ----a-w- c:\windows\system32\ncs2instutility.dll 2011-01-11 14:01 . 2011-01-11 14:01 1930360 ----a-w- c:\windows\system32\ncscolib.dll 2011-01-08 03:27 . 2011-03-06 02:18 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd 2011-01-07 14:06 . 2011-01-07 14:06 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll 2011-01-07 14:06 . 2011-01-07 14:06 3597416 ----a-w- c:\windows\system32\nvcpl.dll 2011-01-07 14:06 . 2011-01-07 14:06 2620520 ----a-w- c:\windows\system32\nvsvc.dll 2011-01-07 14:06 . 2011-01-07 14:06 66664 ----a-w- c:\windows\system32\nvshext.dll 2011-01-07 14:06 . 2011-01-07 14:06 608872 ----a-w- c:\windows\system32\nvvsvc.exe 2011-01-07 14:06 . 2011-01-07 14:06 288872 ----a-w- c:\windows\system32\nvhotkey.dll 2011-01-07 14:06 . 2011-01-07 14:06 2558568 ----a-w- c:\windows\system32\nvsvcr.dll 2011-01-07 14:06 . 2011-01-07 14:06 111208 ----a-w- c:\windows\system32\nvmctray.dll 2010-10-13 15:28 . 2011-03-10 10:17 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay] @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}" [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}] 2010-03-29 05:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK] @="{3c3f3c1a-9153-7c05-f938-622e7003894d}" [HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}] 2010-04-13 13:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2] @="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}" [HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}] 2010-04-13 13:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3] @="{b4caf489-1eec-c617-49ad-8d7088598c06}" [HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}] 2010-04-13 13:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate] @="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}" [HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}] 2010-11-20 12:20 442880 ----a-w- c:\windows\System32\ntshrui.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay] @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}" [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}] 2010-03-29 05:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisallowCpl"= 1 (0x1) "MaxRecentDocs"= 6 (0x6) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:1033 /KBD:2 /dir:C:\Program . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}] @="IEEE 1394 Bus host controllers" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}] @="SBP2 IEEE 1394 Devices" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}] @="SecurityDevices" . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kaspersky Security Scan.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky Security Scan.lnk backup=c:\windows\pss\Kaspersky Security Scan.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Online Backup Status.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk backup=c:\windows\pss\McAfee Online Backup Status.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TdmNotify.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\TdmNotify.lnk backup=c:\windows\pss\TdmNotify.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Trend Micro SafeSync.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Trend Micro SafeSync.lnk backup=c:\windows\pss\Trend Micro SafeSync.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellControlPoint] 2009-11-02 04:40 657920 ----a-w- c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box] 2011-03-10 02:21 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2011-02-25 18:12 136176 ----atw- c:\users\goscuter1\AppData\Local\Google\Update\GoogleUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Immunet Protect] 2011-03-10 10:07 2584904 ----a-w- c:\program files\Immunet Protect\3.0.0\iptray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe] 2011-01-17 09:15 1193848 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey] 2011-01-07 14:06 288872 ----a-w- c:\windows\System32\nvhotkey.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-10-29 07:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USCService] 2010-06-22 04:33 34232 ----a-w- c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualDesk] 2011-02-23 10:17 6089576 ----a-w- c:\program files\TweakNow PowerPack 2011\VirDesk.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xmarks] 2011-02-05 03:55 1092808 ----a-w- c:\program files\Xmarks\IE Extension\xmarkssync.exe . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\system32\drivers\1394ohci.sys [2010-11-20 164864] R3 AcpiPmi;ACPI Power Meter Driver;c:\windows\system32\drivers\acpipmi.sys [2010-11-20 10240] R3 adp94xx;adp94xx;c:\windows\system32\DRIVERS\adp94xx.sys [2009-07-14 422976] R3 adpahci;adpahci;c:\windows\system32\DRIVERS\adpahci.sys [2009-07-14 297552] R3 amdsata;amdsata;c:\windows\system32\drivers\amdsata.sys [2010-11-20 80256] R3 amdsbs;amdsbs;c:\windows\system32\DRIVERS\amdsbs.sys [2009-07-14 159312] R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2007-03-06 14336] R3 AppID;AppID Driver;c:\windows\system32\drivers\appid.sys [2010-11-20 50176] R3 AppIDSvc;Application Identity;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 arcsas;arcsas;c:\windows\system32\DRIVERS\arcsas.sys [2009-07-14 86608] R3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\DRIVERS\bxvbdx.sys [2009-07-13 430080] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888] R3 BDESVC;BitLocker Drive Encryption Service;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\DRIVERS\BrFiltLo.sys [2009-07-13 13568] R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\DRIVERS\BrFiltUp.sys [2009-07-13 5248] R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\Drivers\Brserid.sys [2009-07-14 272128] R3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\Drivers\BrSerWdm.sys [2009-07-13 62336] R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\Drivers\BrUsbMdm.sys [2009-07-13 12160] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840] R3 circlass;Consumer IR Devices;c:\windows\system32\DRIVERS\circlass.sys [2009-07-13 37888] R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x] R3 defragsvc;Disk Defragmenter;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\system32\DRIVERS\evbdx.sys [2009-07-13 3100160] R3 elxstor;elxstor;c:\windows\system32\DRIVERS\elxstor.sys [2009-07-14 453712] R3 fdPHost;Function Discovery Provider Host;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 Filetrace;Filetrace;c:\windows\system32\drivers\filetrace.sys [2009-07-13 28160] R3 FsDepends;File System Dependency Minifilter;c:\windows\system32\drivers\FsDepends.sys [2009-07-14 46160] R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\hcw85cir.sys [2009-07-13 26624] R3 HomeGroupListener;HomeGroup Listener;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 HomeGroupProvider;HomeGroup Provider;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 HpSAMD;HpSAMD;c:\windows\system32\drivers\HpSAMD.sys [2009-07-14 67152] R3 IPBusEnum;PnP-X IP Bus Enumerator;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 IPMIDRV;IPMIDRV;c:\windows\system32\drivers\IPMIDrv.sys [2010-11-20 65536] R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [2010-11-20 233344] R3 KtmRm;KtmRm for Distributed Transaction Coordinator;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 lltdsvc;Link-Layer Topology Discovery Mapper;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 LSI_FC;LSI_FC;c:\windows\system32\DRIVERS\lsi_fc.sys [2009-07-14 95824] R3 LSI_SAS;LSI_SAS;c:\windows\system32\DRIVERS\lsi_sas.sys [2009-07-14 89168] R3 LSI_SAS2;LSI_SAS2;c:\windows\system32\DRIVERS\lsi_sas2.sys [2009-07-14 54864] R3 LSI_SCSI;LSI_SCSI;c:\windows\system32\DRIVERS\lsi_scsi.sys [2009-07-14 96848] R3 megasas;megasas;c:\windows\system32\DRIVERS\megasas.sys [2009-07-14 30800] R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264] R3 mpio;Microsoft Multi-Path Bus Driver;c:\windows\system32\drivers\mpio.sys [2010-11-20 130432] R3 msahci;msahci;c:\windows\system32\drivers\msahci.sys [2010-11-20 28032] R3 msdsm;Microsoft Multi-Path Device Specific Module;c:\windows\system32\drivers\msdsm.sys [2010-11-20 116096] R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [2009-07-13 4096] R3 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 MsRPC;MsRPC; [x] R3 MTConfig;Microsoft Input Configuration Driver;c:\windows\system32\DRIVERS\MTConfig.sys [2009-07-13 12288] R3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\system32\DRIVERS\ndiscap.sys [2009-07-13 27136] R3 netw5v32;Intel Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168] R3 nfrd960;nfrd960;c:\windows\system32\DRIVERS\nfrd960.sys [2009-07-14 44624] R3 nvstor;nvstor;c:\windows\system32\drivers\nvstor.sys [2010-11-20 143744] R3 PcaSvc;Program Compatibility Assistant Service;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 pla;Performance Logs & Alerts;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 PNRPAutoReg;PNRP Machine Name Publication Service;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 ql2300;ql2300;c:\windows\system32\DRIVERS\ql2300.sys [2009-07-14 1383488] R3 ql40xx;ql40xx;c:\windows\system32\DRIVERS\ql40xx.sys [2009-07-14 106064] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872] R3 s3cap;s3cap;c:\windows\system32\drivers\vms3cap.sys [2010-11-20 5632] R3 SCPolicySvc;Smart Card Removal Policy;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 SDRSVC;Windows Backup;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 SensrSvc;Adaptive Brightness;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\system32\drivers\sffp_mmc.sys [2009-07-13 12288] R3 SiSRaid4;SiSRaid4;c:\windows\system32\DRIVERS\sisraid4.sys [2009-07-14 77888] R3 Smb;Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session);c:\windows\system32\DRIVERS\smb.sys [2009-07-13 71168] R3 sppsvc;Software Protection;c:\windows\system32\sppsvc.exe [2010-11-20 3179520] R3 sppuinotify;SPP Notification Service;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 stexstor;stexstor;c:\windows\system32\DRIVERS\stexstor.sys [2009-07-14 21072] R3 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2010-11-20 28032] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TBS;TPM Base Services;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 THREADORDER;Thread Ordering Server;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\system32\DRIVERS\tssecsrv.sys [2010-11-20 31232] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 UI0Detect;Interactive Services Detection;c:\windows\system32\UI0Detect.exe [2009-07-14 35840] R3 uliagpkx;Uli AGP Bus Filter;c:\windows\system32\drivers\uliagpkx.sys [2009-07-14 57424] R3 UmRdpService;Remote Desktop Services UserMode Port Redirector;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\system32\drivers\usbcir.sys [2009-07-13 86016] R3 VaultSvc;Credential Manager;c:\windows\system32\lsass.exe [2009-07-14 22528] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 vhdmp;vhdmp;c:\windows\system32\drivers\vhdmp.sys [2010-11-20 160128] R3 ViaC7;VIA C7 Processor Driver;c:\windows\system32\DRIVERS\viac7.sys [2009-07-13 52736] R3 VMBusHID;VMBusHID;c:\windows\system32\drivers\VMBusHID.sys [2010-11-20 17920] R3 vsmraid;vsmraid;c:\windows\system32\DRIVERS\vsmraid.sys [2009-07-14 141904] R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2009-07-13 21632] R3 wbengine;Block Level Backup Engine Service;c:\windows\system32\wbengine.exe [2010-11-20 1203200] R3 WbioSrvc;Windows Biometric Service;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 wcncsvc;Windows Connect Now - Config Registrar;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 WcsPlugInService;Windows Color System;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 Wd;Wd;c:\windows\system32\DRIVERS\wd.sys [2009-07-14 19024] R3 Wecsvc;Windows Event Collector;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 wercplsupport;Problem Reports and Solutions Control Panel Support;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 WerSvc;Windows Error Reporting Service;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 WIMMount;WIMMount;c:\windows\system32\drivers\wimmount.sys [2009-07-14 19008] R3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 WinRM;Windows Remote Management (WS-Management);c:\windows\System32\svchost.exe [2009-07-14 20992] R3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 WPDBusEnum;Portable Device Enumerator Service;c:\windows\system32\svchost.exe [2009-07-14 20992] R3 wrssweep;Webroots Volume Access Driver;c:\progra~1\Webroot\Security\Current\plugins\cleanup\wrssweep.sys [x] R3 WwanSvc;WWAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992] R4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304] R4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 812448] R4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 27040] R4 CscService;Offline Files;c:\windows\System32\svchost.exe [2009-07-14 20992] R4 FDResPub;Function Discovery Resource Publication;c:\windows\system32\svchost.exe [2009-07-14 20992] R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 136176] R4 Intel PROSet Monitoring Service;Intel PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-12-06 109728] R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.199\McCHSvc.exe [2011-02-23 237008] R4 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R4 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R4 Mcx2Svc;Media Center Extender Service;c:\windows\system32\svchost.exe [2009-07-14 20992] R4 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136] R4 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688] R4 TabletInputService;Tablet PC Input Service;c:\windows\System32\svchost.exe [2009-07-14 20992] S0 amdxata;amdxata;c:\windows\system32\drivers\amdxata.sys [2010-11-20 22400] S0 CLFS;Common Log (CLFS);c:\windows\System32\CLFS.sys [2009-07-14 249408] S0 CNG;CNG;c:\windows\System32\Drivers\cng.sys [2009-07-14 369568] S0 FileInfo;File Information FS MiniFilter;c:\windows\system32\drivers\fileinfo.sys [2009-07-14 58448] S0 fvevol;Bitlocker Drive Encryption Filter Driver;c:\windows\System32\DRIVERS\fvevol.sys [2010-11-20 194800] S0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [2010-11-20 14208] S0 iaStorV;Intel RAID Controller Windows 7;c:\windows\system32\drivers\iaStorV.sys [2010-11-20 332160] S0 KSecPkg;KSecPkg;c:\windows\System32\Drivers\ksecpkg.sys [2009-07-14 133200] S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840] S0 msisadrv;msisadrv;c:\windows\system32\drivers\msisadrv.sys [2009-07-14 13888] S0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [2009-07-14 43088] S0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [2010-11-20 173440] S0 spldr;Security Processor Loader Driver; [x] S0 storflt;Disk Virtual Machine Bus Acceleration Filter Driver;c:\windows\system32\drivers\vmstorfl.sys [2010-11-20 40704] S0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;c:\windows\system32\drivers\vdrvroot.sys [2009-07-14 32832] S0 vmbus;Virtual Machine Bus;c:\windows\system32\drivers\vmbus.sys [2010-11-20 175360] S0 volmgr;Volume Manager Driver;c:\windows\system32\drivers\volmgr.sys [2010-11-20 53120] S0 volmgrx;Dynamic Volume Manager;c:\windows\System32\drivers\volmgrx.sys [2009-07-14 297040] S1 blbdrive;blbdrive;c:\windows\system32\DRIVERS\blbdrive.sys [2009-07-13 35328] S1 CSC;Offline Files Driver;c:\windows\system32\drivers\csc.sys [2010-11-20 388096] S1 DfsC;DFS Namespace Client Driver;c:\windows\system32\Drivers\dfsc.sys [2010-11-20 78336] S1 discache;System Attribute Cache;c:\windows\system32\drivers\discache.sys [2009-07-13 32256] S1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\DRIVERS\ImmunetProtect.sys [2011-03-10 47440] S1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\DRIVERS\ImmunetSelfProtect.sys [2011-03-10 31952] S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304] S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776] S1 nsiproxy;NSI proxy service driver.;c:\windows\system32\drivers\nsiproxy.sys [2009-07-13 16896] S1 pwipf6;Privacyware Filter Driver;c:\windows\system32\DRIVERS\pwipf6.sys [2011-02-15 116592] S1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\system32\drivers\rdpencdd.sys [2009-07-14 6656] S1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\system32\drivers\rdprefmp.sys [2009-07-14 7168] S1 tdx;NetIO Legacy TDI Support Driver;c:\windows\system32\DRIVERS\tdx.sys [2010-11-20 74752] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S1 Wanarpv6;Remote Access IPv6 ARP Driver;c:\windows\system32\DRIVERS\wanarp.sys [2010-11-20 63488] S1 WfpLwf;WFP Lightweight Filter;c:\windows\system32\DRIVERS\wfplwf.sys [2009-07-13 9728] S2 AudioEndpointBuilder;Windows Audio Endpoint Builder;c:\windows\System32\svchost.exe [2009-07-14 20992] S2 BFE;Base Filtering Engine;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 CertPropSvc;Certificate Propagation;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 DPS;Diagnostic Policy Service;c:\windows\System32\svchost.exe [2009-07-14 20992] S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 gpsvc;Group Policy Client;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 IKEEXT;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 ImmunetProtect;Immunet 3.0;c:\program files\Immunet Protect\3.0.0\agent.exe [2011-03-10 729424] S2 iphlpsvc;IP Helper;c:\windows\System32\svchost.exe [2009-07-14 20992] S2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\system32\DRIVERS\lltdio.sys [2009-07-13 48128] S2 luafv;UAC File Virtualization;c:\windows\system32\drivers\luafv.sys [2009-07-13 86528] S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-13 141792] S2 MMCSS;Multimedia Class Scheduler;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 NlaSvc;Network Location Awareness;c:\windows\System32\svchost.exe [2009-07-14 20992] S2 nsi;Network Store Interface Service;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 PEAUTH;PEAUTH;c:\windows\system32\drivers\peauth.sys [2009-07-14 586752] S2 Power;Power;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 ProfSvc;User Profile Service;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 RpcEptMapper;RPC Endpoint Mapper;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [2011-02-15 45072] S2 SysMain;Superfetch;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\system32\drivers\tcpipreg.sys [2010-11-20 35328] S2 UxSms;Desktop Window Manager Session Manager;c:\windows\System32\svchost.exe [2009-07-14 20992] S2 Wlansvc;WLAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992] S3 Appinfo;Application Information;c:\windows\system32\svchost.exe [2009-07-14 20992] S3 bowser;Browser Support Driver;c:\windows\system32\DRIVERS\bowser.sys [2009-07-13 69632] S3 CompositeBus;Composite Bus Enumerator Driver;c:\windows\system32\drivers\CompositeBus.sys [2010-11-20 31232] S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-11-03 33832] S3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [2010-11-20 728448] S3 e1yexpress;Intel Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-12 221912] S3 KeyIso;CNG Key Isolation;c:\windows\system32\lsass.exe [2009-07-14 22528] S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288] S3 monitor;Microsoft Monitor Class Function Driver Service;c:\windows\system32\DRIVERS\monitor.sys [2009-07-13 23552] S3 mpsdrv;Windows Firewall Authorization Driver;c:\windows\system32\drivers\mpsdrv.sys [2009-07-13 60416] S3 mrxsmb10;SMB 1.x MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb10.sys [2010-11-20 223232] S3 mrxsmb20;SMB 2.0 MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb20.sys [2010-11-20 96768] S3 NativeWifiP;NativeWiFi Filter;c:\windows\system32\DRIVERS\nwifi.sys [2009-07-13 267264] S3 netprofm;Network List Service;c:\windows\System32\svchost.exe [2009-07-14 20992] S3 NETwNs32;___ Intel Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-10-18 7122944] S3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\system32\DRIVERS\AgileVpn.sys [2009-07-13 49152] S3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\system32\DRIVERS\rdpbus.sys [2009-07-14 18944] S3 scfilter;Smart card PnP Class Filter Driver;c:\windows\system32\DRIVERS\scfilter.sys [2010-11-20 26624] S3 srv2;Server SMB 2.xxx Driver;c:\windows\system32\DRIVERS\srv2.sys [2010-11-20 309248] S3 srvnet;srvnet;c:\windows\system32\DRIVERS\srvnet.sys [2010-11-20 114176] S3 TrustedInstaller;Windows Modules Installer;c:\windows\servicing\TrustedInstaller.exe [2010-11-20 204800] S3 tunnel;Microsoft Tunnel Miniport Adapter Driver;c:\windows\system32\DRIVERS\tunnel.sys [2010-11-20 108544] S3 umbus;UMBus Enumerator Driver;c:\windows\system32\DRIVERS\umbus.sys [2010-11-20 39936] S3 vwifibus;Virtual WiFi Bus Driver;c:\windows\system32\DRIVERS\vwifibus.sys [2009-07-13 19968] S3 WdiServiceHost;Diagnostic Service Host;c:\windows\System32\svchost.exe [2009-07-14 20992] S3 WdiSystemHost;Diagnostic System Host;c:\windows\System32\svchost.exe [2009-07-14 20992] . . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] RPCSS REG_MULTI_SZ RpcEptMapper RpcSs defragsvc REG_MULTI_SZ defragsvc WerSvcGroup REG_MULTI_SZ wersvc LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc swprv REG_MULTI_SZ swprv LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm regsvc REG_MULTI_SZ RemoteRegistry LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent sdrsvc REG_MULTI_SZ sdrsvc WbioSvcGroup REG_MULTI_SZ WbioSrvc wcssvc REG_MULTI_SZ WcsPlugInService AxInstSVGroup REG_MULTI_SZ AxInstSV secsvcs REG_MULTI_SZ WinDefend PeerDist REG_MULTI_SZ PeerDistSvc bdx REG_MULTI_SZ scan sysagent . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs AeLookupSvc CertPropSvc SCPolicySvc lanmanserver gpsvc IKEEXT AudioSrv FastUserSwitchingCompatibility Nla NWCWorkstation SRService Wmi WmdmPmSp TermService wuauserv BITS ShellHWDetection LogonHours PCAudit helpsvc uploadmgr iphlpsvc seclogon AppInfo msiscsi MMCSS wercplsupport EapHost ProfSvc schedule hkmsvc SessionEnv winmgmt browser Themes BDESVC AppMgmt . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted homegrouplistener . . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService WdiServiceHost sppuinotify . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService lanmanworkstation . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted BthHFSrv homegroupprovider . . Contents of the 'Scheduled Tasks' folder . 2011-03-11 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-10 02:20] . 2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 02:21] . 2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 02:21] . 2011-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3282757158-1001404969-4251380021-1000Core.job - c:\users\goscuter1\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-25 18:12] . 2011-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3282757158-1001404969-4251380021-1000UA.job - c:\users\goscuter1\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-25 18:12] . 2011-03-11 c:\windows\Tasks\Immunet Scan 3192638.job - c:\program files\Immunet Protect\ips.exe [2011-03-10 10:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.microsoft.com IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html IE: LastPass - file://c:\users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=lastpass IE: LastPass Fill Forms - file://c:\users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=fillforms Trusted Zone: microsoft.com\oas.support Trusted Zone: microsoft.com\support FF - ProfilePath - c:\users\goscuter1\AppData\Roaming\Mozilla\Firefox\Profiles\tlp8sxnt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.th/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} . - - - - ORPHANS REMOVED - - - - . ShellIconOverlayIdentifiers-{6B78A880-15CA-468f-8422-A7960AD6FBB9} - (no file) ShellIconOverlayIdentifiers-{4EE7A346-5845-471e-9FAB-002EAF83F8B0} - (no file) ShellIconOverlayIdentifiers-{53DABC15-4F29-44ad-B09A-E0D0F9A3D075} - (no file) ShellIconOverlayIdentifiers-{493FC96E-B938-4924-9B38-C4088E9B8AC2} - (no file) SafeBoot-WudfPf SafeBoot-WudfRd SafeBoot-sacsvr SafeBoot-vmms MSConfigStartUp-nwiz - nwiz.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net'>http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-12 02:07 Windows 6.1.7601 Service Pack 1 NTFS . detected NTDLL code modification: ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{9F6B5CC3-5C7B-4B5C-97AF-19DEC1E380E5}"=hex:51,66,7a,6c,4c,1d,38,12,ad,5f,78, 9b,49,12,32,0e,e8,b9,5a,9e,c4,bd,c4,f1 "{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}"=hex:51,66,7a,6c,4c,1d,38,12,26,bd,a8, 0a,e6,f4,22,0e,f1,4c,12,2a,bb,94,a4,70 "{97AB88EF-346B-4179-A0B1-7445896547A5}"=hex:51,66,7a,6c,4c,1d,38,12,81,8b,b8, 93,59,7a,17,04,df,a7,37,05,8c,3b,03,b1 "{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,38,12,ce,d6,a1, 79,73,3c,17,0b,c9,9b,20,49,f5,42,16,25 "{95D9ECF5-2A4D-4550-BE49-70D42F71296E}"=hex:51,66,7a,6c,4c,1d,38,12,9b,ef,ca, 91,7f,64,3e,00,c1,5f,33,94,2a,2f,6d,7a "{B164E929-A1B6-4A06-B104-2CD0E90A88FF}"=hex:51,66,7a,6c,4c,1d,38,12,47,ea,77, b5,84,ef,68,0f,ce,12,6f,90,ec,54,cc,eb "{C8D5D964-2BE8-4C5B-8CF5-6E975AA88504}"=hex:51,66,7a,6c,4c,1d,38,12,0a,da,c6, cc,da,65,35,09,f3,e3,2d,d7,5f,f6,c1,10 "{D93EC24D-8741-4D41-B83D-A5793B998416}"=hex:51,66,7a,6c,4c,1d,38,12,23,c1,2d, dd,73,c9,2f,08,c7,2b,e6,39,3e,c7,c0,02 "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:7f,64,f2,20,37,d9,cb,01 . [HKEY_USERS\S-1-5-21-3282757158-1001404969-4251380021-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\B*o*o*k*m*a*r*k*s* *b*a*r* \Favourites] "Order"=hex:08,00,00,00,02,00,00,00,f8,00,00,00,01,00,00,00,02,00,00,00,60,00, 00,00,01,00,00,00,52,00,31,00,00,00,00,00,00,c5,1c,3b,10,00,52,4f,4f,54,4b,\ . [HKEY_USERS\S-1-5-21-3282757158-1001404969-4251380021-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\B*o*o*k*m*a*r*k*s* *b*a*r* \Favourites\ROOTKIT] "Order"=hex:08,00,00,00,02,00,00,00,08,05,00,00,01,00,00,00,08,00,00,00,f8,00, 00,00,00,00,00,00,ea,00,32,00,84,00,00,00,00,c9,f7,4c,20,00,45,52,52,4f,52,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(1180) c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll c:\program files\McAfee Online Backup\MOBKshell.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WUDFHost.exe c:\windows\System32\snmp.exe c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\windows\system32\taskhost.exe c:\windows\System32\wsqmcons.exe c:\windows\system32\schtasks.exe c:\windows\system32\conhost.exe . ************************************************************************** . Completion time: 2011-03-12 02:11:55 - machine was rebooted ComboFix-quarantined-files.txt 2011-03-11 19:11 . Pre-Run: 132,072,812,544 bytes free Post-Run: 131,959,685,120 bytes free . - - End Of File - - C21FB2B653E2EAD6CD84338D0E2BD979 ComboFix didn't actually fix anything I don't think, as I then tried to install Kaspersky AV 2011 and nup. Link to comment Share on other sites More sharing options...
goscuter1 Posted March 12, 2011 Author Report Share Posted March 12, 2011 Thanks for your lightning quick response and assistance Edwin - I really appreciate it! The real MS Security Esssentials, or a fakeAV claiming to be MSSE? I think it has to be the 'patched' or corrupted MSSE, right? I've never had a problem uninstalling MSSE before, and I'm certain MSSE doesn't have a service which is simply impossible to disable. Corrupted files can also be a sign of hardware files, not just malware. Try doing a full memory scan by booting from one of these ISOs: http://www.memtest86.com/download.html http://www.memtest.org/#downiso Sigh. I spent an hour bashing my thick head against a wall trying to launch the ISO image from a virtual drive as I've run out of writable discs. And then I remembered you posted 2 links lol - 30 seconds later, I was booting from a USB. I only did one pass, as that took a pretty long time by itself, I'm hoping that's sufficient? The report was that everything was fine, no memory errors. After the low-level format were your partitions still intact? I was certain dban obliterated everything, even the BIOS. After the low-level format, when I turned on the laptop, there was just a black empty screen. I could only boot with the Win7 genuine advantage disc, and there was just the single partition when it installed (I believe it automatically creates a 2nd system reserved partition if user doesn't). Can you post the Support Diagnostic Tool logs? (you can run it from Immunet's start menu) Hmm - what's the best way to post the logs? Immunet_Support_Tool_2011_03_12_06_53_38.7z You aren't permitted to upload this kind of file I had uninstalled Immunet and was trying to get Kaspersky installed but was unsuccessful, Kaspersky kept saying I had to get rid of clamav 1.0.26 and literally nothing I could think of was working. I was just about to reinstall Immunet and try uninstalling it again, when I noticed your response. So I'm not sure if the logs will have full history or just the last hour's... I've run the failing Updater for the logs. Link to comment Share on other sites More sharing options...
goscuter1 Posted March 12, 2011 Author Report Share Posted March 12, 2011 I've been reading up on DISM all day, and I don't think I installed any OS installations on my Dell in the last month. I think I triggered 20 deployments... 2011-02-25 19:52:46, Info CBS Starting TrustedInstaller initialization.2011-02-25 19:52:46, Info CBS Loaded Servicing Stack v6.1.7601.17514 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\cbscore.dll 2011-02-25 19:52:48, Info CSI 00000001@2011/2/25:12:52:48.081 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x6d65d84e @0x6f655d7d @0x6f63205a @0x681c99 @0x681236 @0x76f775a8) 2011-02-25 19:52:48, Info CSI 00000002@2011/2/25:12:52:48.096 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x6d65d84e @0x6f697183 @0x6f694013 @0x681c99 @0x681236 @0x76f775a8) 2011-02-25 19:52:48, Info CSI 00000003@2011/2/25:12:52:48.099 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x6d65d84e @0x73d04bb0 @0x73d0548e @0x681327 @0x681245 @0x76f775a8) 2011-02-25 19:52:48, Info CBS Ending TrustedInstaller initialization. 2011-02-25 19:52:48, Info CBS Starting the TrustedInstaller main loop. 2011-02-25 19:52:48, Info CBS TrustedInstaller service starts successfully. 2011-02-25 19:52:48, Info CBS SQM: Initializing online with Windows opt-in: False 2011-02-25 19:52:48, Info CBS SQM: Cleaning up report files older than 10 days. 2011-02-25 19:52:48, Info CBS SQM: Requesting upload of all unsent reports. 2011-02-25 19:52:48, Info CBS SQM: Failed to start upload with file pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2 [hrESULT = 0x80004005 - E_FAIL] 2011-02-25 19:52:48, Info CBS SQM: Failed to start standard sample upload. [hrESULT = 0x80004005 - E_FAIL] 2011-02-25 19:52:48, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6 2011-02-25 19:52:48, Info CBS SQM: Warning: Failed to upload all unsent reports. [hrESULT = 0x80004005 - E_FAIL] 2011-02-25 19:52:48, Info CBS No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending. 2011-02-25 19:52:48, Info CBS NonStart: Checking to ensure startup processing was not required. 2011-02-25 19:52:48, Info CSI 00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x58fb84 2011-02-25 19:52:48, Info CSI 00000005 Creating NT transaction (seq 1), objectname [6]"(null)" 2011-02-25 19:52:48, Info CSI 00000006 Created NT transaction (seq 1) result 0x00000000, handle @0x1d4 2011-02-25 19:52:48, Info CSI 00000007@2011/2/25:12:52:48.119 CSI perf trace: CSIPERF:TXCOMMIT;497 2011-02-25 19:52:48, Info CBS NonStart: Success, startup processing not required as expected. 2011-02-25 19:52:48, Info CBS Startup processing thread terminated normally 2011-02-25 19:52:48, Info CSI 00000008 CSI Store 1700648 (0x0019f328) initialized 2011-02-25 19:52:48, Info CBS Session: 30135530_3883677421 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:48, Info CBS Failed to internally open package. [hrESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE] 2011-02-25 19:52:48, Info CBS Session: 30135530_3883697422 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:48, Info CBS Failed to internally open package. [hrESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE] 2011-02-25 19:52:48, Info CBS Session: 30135530_3883717423 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:48, Info CBS Failed to internally open package. [hrESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE] 2011-02-25 19:52:48, Info CBS Session: 30135530_3883727424 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:48, Info CBS Failed to internally open package. [hrESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE] 2011-02-25 19:52:48, Info CBS Session: 30135530_3884277455 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:48, Info CBS Failed to internally open package. [hrESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE] 2011-02-25 19:52:48, Info CBS Session: 30135530_3884287456 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:48, Info CBS Failed to internally open package. [hrESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE] 2011-02-25 19:52:48, Info CBS Session: 30135530_3884297457 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Session: 30135530_3934490327 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2479628~31bf3856ad364e35~x86~~6.1.1.4, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3934580333 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2425227~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3934690339 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB947821~31bf3856ad364e35~x86~~6.1.10.0, ApplicableState: 112, CurrentState:0 2011-02-25 19:52:53, Info CBS Session: 30135530_3934760343 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2475792~31bf3856ad364e35~x86~~6.1.1.3, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3934860349 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2482017~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3934980355 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2489256~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 80, CurrentState:0 2011-02-25 19:52:53, Info CBS Session: 30135530_3935030358 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2484033~31bf3856ad364e35~x86~~6.1.1.0, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3935070361 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2485376~31bf3856ad364e35~x86~~6.1.1.2, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3935100362 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2488113~31bf3856ad364e35~x86~~6.1.1.0, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3935130364 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Session: 30135530_3935150365 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2393802~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112 2011-02-25 19:52:53, Info CBS Session: 30135530_3935240370 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB976932~31bf3856ad364e35~x86~~6.1.1.17514, ApplicableState: 112, CurrentState:101 2011-02-25 19:52:53, Info CBS Session: 30135530_3936430438 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Microsoft-Windows-Security-WindowsActivationTechnologies-Package~31bf3856ad364e35~x86~~7.1.7600.16395, ApplicableState: 112, CurrentState:0 2011-02-25 19:52:53, Info CBS Session: 30135530_3936450440 initialized by client WindowsUpdateAgent. 2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2502285~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112 2011-02-25 19:53:02, Info CBS Archived backup log: C:\Windows\Logs\CBS\CbsPersist_20110225125246.cab. 2011-02-25 19:59:15, Info CBS Session: 30135531_3462241678 initialized by client DISM Package Manager Provider. 2011-02-25 19:59:15, Info DPX Started DPX phase: Resume and Download Job 2011-02-25 19:59:15, Info DPX Started DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:15, Info DPX Ended DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:15, Info DPX Started DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:15, Info DPX Ended DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:15, Info DPX Ended DPX phase: Resume and Download Job 2011-02-25 19:59:15, Info CBS Opened cabinet package, package directory: C:\Windows\TEMP\IE9F824.tmp\IE9-neutral.Downloaded\, sandbox location: \\?\C:\Users\GOSCUT~1\AppData\Local\Temp\A1C18FB6-A337-4B95-8308-7396F4413FB7\, cabinet location: \\?\C:\Windows\TEMP\IE9F824.tmp\IE9-neutral.Downloaded\Windows6.1-KB982861-x86.cab, manifest location: \\?\C:\Users\GOSCUT~1\AppData\Local\Temp\A1C18FB6-A337-4B95-8308-7396F4413FB7\update.mum 2011-02-25 19:59:15, Info DPX Started DPX phase: Resume and Download Job 2011-02-25 19:59:15, Info DPX Started DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:15, Info DPX Ended DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:15, Info DPX Ended DPX phase: Resume and Download Job 2011-02-25 19:59:15, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present 2011-02-25 19:59:15, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded 2011-02-25 19:59:15, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed 2011-02-25 19:59:15, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, disposition state from detectParent: Installed 2011-02-25 19:59:15, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, applicable state: Installed 2011-02-25 19:59:15, Info CBS External EvaluateApplicability, package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed 2011-02-25 19:59:15, Info CBS External EvaluateApplicability, package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed 2011-02-25 19:59:15, Info CBS Blocked system sleep; prior state: 0x80000000 2011-02-25 19:59:15, Info CBS Exec: Processing started. Client: DISM Package Manager Provider, Session: 30135531_3462241678, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413 2011-02-25 19:59:15, Info CBS Exec: Using execution sequence: 212 2011-02-25 19:59:16, Info CBS Reboot mark refs incremented to: 1 2011-02-25 19:59:16, Info CBS Disabling LKG boot option 2011-02-25 19:59:16, Info CBS Perf: Begin: nested restore point - begin 2011-02-25 19:59:16, Info CBS Perf: Begin: nested restore point - complete 2011-02-25 19:59:16, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present 2011-02-25 19:59:16, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded 2011-02-25 19:59:16, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed 2011-02-25 19:59:16, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, disposition state from detectParent: Installed 2011-02-25 19:59:16, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, applicable state: Installed 2011-02-25 19:59:16, Info DPX Started DPX phase: Resume and Download Job 2011-02-25 19:59:16, Info DPX Started DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:17, Info DPX Ended DPX phase: Apply Deltas Provided In File 2011-02-25 19:59:17, Info DPX Ended DPX phase: Resume and Download Job 2011-02-25 19:59:17, Info CBS Extracting all files from cabinet \\?\C:\Windows\TEMP\IE9F824.tmp\IE9-neutral.Downloaded\Windows6.1-KB982861-x86.cab 2011-02-25 19:59:17, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed 2011-02-25 19:59:17, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Update: Microsoft-Windows-InternetExplorer-Package-Neutral, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed, selected: Default 2011-02-25 19:59:17, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Update: Microsoft-Windows-InternetExplorer-Package-en-us-LP-Toplevel, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed, selected: Default 2011-02-25 19:59:18, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present 2011-02-25 19:59:18, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded 2011-02-25 19:59:18, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed 2011-02-25 19:59:18, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, disposition state from detectParent: Installed 2011-02-25 19:59:18, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, applicable state: Installed 2011-02-25 19:59:18, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed 2011-02-25 19:59:18, Info CBS Appl: Old package found: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, force to remove/supersed, Target State: Installed 2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present 2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, related parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, which is not real parent 2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed 2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, disposition state from detectParent: Installed 2011-02-25 19:59:19, Info CBS Appl: Higher version found for package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, superseded. (Version on system:Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413) 2011-02-25 19:59:19, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, applicable state: Superseded 2011-02-25 19:59:19, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, current: Installed, pending: Default, start: Installed, applicable: Superseded, targeted: Superseded, limit: Installed 2011-02-25 19:59:19, Info CBS Appl: Old package found superseded, re-install: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385 2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present 2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded 2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed 2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, disposition state from detectParent: Installed 2011-02-25 19:59:19, Info CBS Appl: Higher version found for package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, superseded. (Version on system:Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514) 2011-02-25 19:59:19, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, applicable state: Superseded 2011-02-25 19:59:19, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, current: Superseded, pending: Default, start: Superseded, applicable: Superseded, targeted: Superseded, limit: Superseded 2011-02-25 19:59:19, Info CSI 00000009@2011/2/25:12:59:19.186 CSI Transaction @0x209518 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002 and client id [26]"TI5.30135531_3462241678:1/" 2011-02-25 19:59:19, Info CSI 0000000a@2011/2/25:12:59:19.192 CSI Transaction @0x209518 destroyed I have a sinking feeling dban doesn't zero out virtual drives ;( - I didn't realise I had any... Link to comment Share on other sites More sharing options...
goscuter1 Posted March 12, 2011 Author Report Share Posted March 12, 2011 Create a .zip and try uploading that. Cool, zip worked. Immunet_Support_Tool_2011_03_12_06_53_38.zip I was running a Full Scan and just woke up and it seems like it might have updated, the Yellow circle is now Green and says "Up To Date" - the scan is still going though, 10 hours and counting....seems long... Is there any reason to believe your system is still infected? Yes. Every time I run sfc /scannow, 5 minutes later a process silently corrupts the files again, uploading from an offline registry hive. I ran Security Check and it says my Java is out of date (it's not), but when I try to d/l Java again, it gives this error message: Googling the 1606 Error took me to Application Data (I forget why) but it says "Access is Denied" for my own folders. I'm logged in as Administrator but I cannot take control of some of the Windows Image folders/files that are being used to make my life hell... My systems are crawling. My desktop will be completely powered down and then it'll just switch on automatically, it really creeps me out. It's all a huge mess. Aren't the virtual drives ultimately stored on a physical drive ... that you wiped? Well I thought so. But reading now, it seems like things weren't that simple. Does DBAN wipe the Host Protected Area ("HPA")? No. Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA. Does DBAN wipe remapped sectors? Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors. Why doesn't DBAN detect the disks in a RAID array? DBAN has drivers for most RAID implementations, but DBAN does not automatically disassemble RAID volumes. The operator must manually disassemble RAID volumes and put each component into "JBOD" or "SINGLE" mode for the disks to be recognized by DBAN. Stupid program. Link to comment Share on other sites More sharing options...
goscuter1 Posted March 14, 2011 Author Report Share Posted March 14, 2011 ? I can only assume anyone reading this is studying up on the threats I've brought to light. Oh lol, apologies, I momentarily forgot where I was posting. In 3 weeks, I feel I know more than most AV 'experts'. Children can run an AV scan. And professionals, if they're AV-industry professionals. Unfortunately, that appears to be the extent of it. I've had 30 conversations like this with paid professionals in the last month. Every forum, everyone goes silent. That's fine, not understanding something is fine, but I would have assumed professionals in this industry were problem solvers. In 3 weeks, from near computer illiteracy, I've come very close to learning enough to solve this myself - I would think it should take a literate computer expert mere minutes to study up, even if they knew nothing about it. I guess I thought wrong, by the number of threads on forums I find, where people are having very similar problems.... ...and the SILENCE, is deafening. lol. Tight industry. Link to comment Share on other sites More sharing options...
goscuter1 Posted April 17, 2011 Author Report Share Posted April 17, 2011 Are the same files corrupted (infected I assume) always, or they are random? It would be useful to find out which process is corrupting the files, can you try running Procmon from here: http://live.sysinter...com/Procmon.exe Set it to log everything to a file. Then do the 'sfc /scannow', wait the time required for the files to get corrupted again, run another sfc to be sure they changed, and now stop procmon, and save the log it created. If you compress that log, is it small enough to upload here? Hi Edwin, thanks for your response. Apologies for not checking back, but my frustrations with the silences across a range of forums, and every expert I hired continuing to charge me without solving anything except the question of their competence...was wearing me down. I can't say with any certainty that they were the same files as I've moved to Linux ubuntu, awaiting the Chrome OS. I think Windows is dead, and Microsoft is finished. But I am unable to know if considerations of justice are clouding my objectivity. But I'm pretty sure the files were the same corrupted replacements. Because WFP is flawed beyond belief. It treats the deployed silent unattended installation as the 'correct' one, so I was effectively corrupting my OS with my Genuine Advantage discs and with SFC /scannow. I've got some records lying around, if you're interested (and god knows no one else is): This is simply one batch of silent corrupted files, then my SFC /scannow replacing them all. This is just one round. I did maybe 40 rounds lolz. http://justpaste.it/98y But who the hell knows really, when SFC command lines don't work: http://i.imgur.com/0vYYA.png Also you can set the Windows updates to install at a scheduled time, so they don't keep creating entries in your installer logs. Oh they were. At least at my end. Not sure what my System Administrator (aka hacker) was doing, but who am I to question his actions. After all, I was trying to hack into my own systems. Quite literally, thanks to Microsoft. Link to comment Share on other sites More sharing options...
goscuter1 Posted April 28, 2011 Author Report Share Posted April 28, 2011 Are the same files corrupted (infected I assume) always, or they are random? It would be useful to find out which process is corrupting the files, can you try running Procmon from here: http://live.sysinter...com/Procmon.exe Set it to log everything to a file. Then do the 'sfc /scannow', wait the time required for the files to get corrupted again, run another sfc to be sure they changed, and now stop procmon, and save the log it created. If you compress that log, is it small enough to upload here? Hi Edwin, I installed Win7 Ultimate again after the issues were crashing my Linux distributions as well. And I remembered this post, so I ran Procmon and immediately hit sfc /scannow but..in the mere minutes it took to verify, over 8,000,000 (8 million) processes were recorded by Procmon. And to top it off, I hadn't waited long enough for the files to be corrupted again lol, and it's been quite a few hours since the last corruption, the results of which I have logged of course (over 3000 cbs.log entries for the single sfc /scannow a few hours ago). It filled 8 procmon log files in the 10 minutes or so that it took to run the scan which didn't find any violations. To get two sfc /scannow outputs, with the silent process replacing all the files in between, we're talking hundreds of millions of processes! I assume that kind of output is of no use? As I was writing that out, I thought "oh that can't be right, it must have been 800,000 or something" - so I just ran it again. In 7 minutes, 7 million processes monitored. This is non-stop. Link to comment Share on other sites More sharing options...
goscuter1 Posted April 29, 2011 Author Report Share Posted April 29, 2011 In that case I don't think that you are dealing with a virus, but rather some kind of hardware defect. Which Linux distribution did you use, and with what error message did it crash? ubuntu 10.4, 10.10 and 11.04 and Mint 10.10. The crashing isn't the concern, crashing is merely a side-effect of being hacked. Very similar problems to Windows but not as rapidly destructive (huge directories and sub-directories of folders /files no one could really explain; all inaccessible with sudo of course; some recursion which slowed my systems down but wasn't really a problem, it just reflected all the virtual terminals that I couldn't access, which were a problem; a lot of permission denied messages logged in as root or with sudo, trying to access SSH connections and services that I didn't install, were certainly not default, and which couldn't be killed by sudo, and even losing sudo altogether trying to uninstall a Samba service which was never installed - the huge directories of samba-related files I couldn't access certainly weren't default - which gave me flashbacks of how this all started with TrustedInstaller over-riding INBUILT Administrator permissions). goscuter1@goscuter1-Latitude-E6500:~$ rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 55518 status 100024 1 tcp 37408 status 100021 1 udp 49813 nlockmgr 100021 3 udp 49813 nlockmgr 100021 4 udp 49813 nlockmgr 100021 1 tcp 43446 nlockmgr 100021 3 tcp 43446 nlockmgr 100021 4 tcp 43446 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 2 tcp 2049 100227 3 tcp 2049 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100227 2 udp 2049 100227 3 udp 2049 100005 1 udp 50908 mountd 100005 1 tcp 43996 mountd 100005 2 udp 50908 mountd 100005 2 tcp 43996 mountd 100005 3 udp 50908 mountd 100005 3 tcp 43996 mountd The nlockmgr is part of the file locking manager system for NFS. It forwards local file locking requests to the lock manager on the server system. This service should be disabled if your system is not acting as either an NFS client or server. The rootkit evidence is pretty overwhelming with every OTL, ComboFix, Gmer, HijackThis etc scan I've ever run (*when they run* or *when the options aren't all greyed out*). But I only just realised I've been stupidly distracted by it all the endless side-effects and not getting at the core issue, which is the deployments being recorded in my cbs.log and windowsupdate.log files. Even they aren't the core issue of course; the core issue is hardware hijacking - which is why my endless zero-filling has just been a complete waste of time. I agree it's hardware defects, intentionally created, initially by a rootkit or the criminal Dell service technician they're refusing to take responsibility for. I just don't understand enough (or anything) about the hardware. So I get all distracted by the deployed Microsoft-signed patches screwing up Win7 and the entire hard drive's contents. Microsoft are the WORST. But getting at the root of the problem has forced me back to Window, because of course it's very hard to convince a Linux user that the problems are real - I mean, they're not having them! (this is literally their logic sigh). In Windows, the side-effects are a lot more...overwhelming. Stuff like patched MSSE versions and non-default programs like WinMail being deployed; which all come up as "patched" on Secunia's PSI joke program - no doubt they are patched, but it's a joke program that gives non-default unauthorised installations like WinMail a green 100% thumbs up. They censored my thread politely enquiring about it, of course. Wonderful ethics.). All these drivers were installed and showing as autoruns in SysInternal's handy app: - I just unclicked them all after realising every single one of them seemed unnecessary and a vulnerability - this system is running a lot better now, but all these things are side-effects. I need to secure my system from the network administrators who are using FEP and DISM to deploy all the crap onto my systems. And they're getting access via the hardware. I have a stack of pics of all the controllers and whatnot, which I'll post shortly as I think they're the key...once I get over the fear of destroying my brand new HTC Desire HD (literally everything gets destroyed, my Nokia N97mini is currently RIP). Look more closely at what those numbers mean:"Showing 7,114,492 of 7,142,955 events" They are events, not processes. Ah okay. I'm the kind of guy who jumps to conclusions that a program called Process monitor, would be listing processes. But events, processes, it's all semantics to me I'm afraid...I'm quite certain 1,000,000 *events* per minute is not normal. Neither is 7000 cbs.log entries in 41 seconds for a single MSSE patch which MSSE already downloaded 6 hrs earlier. It would be more interesting if you could start a procmon capture after your SFC scan is finished, and wait till files get corrupted. It's just side effects, Edwin. In an case, I can see what's corrupting them, it's all being recorded in the logs. I need to focus on blocking the deployments, and I think the answer is either: figuring out how to clean what DBAN and BIOS flashing and CMOS flushing and MBR fixing cannot; or figuring out how to be 100% certain my Internet is secure, then just make a bonfire out of the electronics in my apartment. Either would be fine. I've had 10 weeks of this. That's enough for me. Christ Microsoft are filthy. Link to comment Share on other sites More sharing options...
goscuter1 Posted April 29, 2011 Author Report Share Posted April 29, 2011 Hardware. Sigh, I just don't know what all these controllers are, but I'm pretty sure they're suspect. This is for my desktop: After a 10 hour DBAN, I don't understand these because this BIOS is flashed. What are all these PCI Unknowns - do you think they're the culprit? This is just more of the scan which starts above. 10 screens of PCI controllers that are too complicated for me to make sense of. I don't really like all the Unknowns. Far too many Unknowns, in this industry... http://i.imgur.com/1uEW5.jpg http://i.imgur.com/9lHFJl.jpg http://i.imgur.com/qrs8Kl.jpg http://i.imgur.com/LTqD4l.jpg http://i.imgur.com/Wbx05.jpg http://i.imgur.com/2Cbt3.jpg http://i.imgur.com/J2Y3a.jpg http://i.imgur.com/Exo9D.jpg I dunno; after a 10 hour DBAN, seeing that just makes my stomach churn and god I hope it's the culprit because I have no other suspects now that my modem / router are looking annoyingly innocent. No DBAN, no you did not. I'm not sure if this meant anything as I think X: is used as the virtual drive for Recovery but I know corrupt files are being pulled from a repository, so the fact that I can't delete them struck me as annoying: Link to comment Share on other sites More sharing options...
goscuter1 Posted April 29, 2011 Author Report Share Posted April 29, 2011 Lets try to not jump to conclusions, and leave paranoia aside for a moment No. It's not paranoia when there are endless breaches. I'm sick right now, I'm just...I lost net connection for a half hour or so and my ISP said there wasn't any problem, so I went in to take a look. Sigh. http://codepad.org/V6M50C5D That explains the Broadcom drivers in my Autoruns. Oh, and if it wasn't obvious, I'm not using Linux at this point in time. But I've seen "squashfs" and "NFS" before, on my systems where I didn't install them. I don't know what this means now, I was about to burn everything under the belief my connection was secure. But, they're coming through NAT and a hardware firewall with a yawn? vomit... They're reactive also. It's incredibly creepy. After those PCI pics, I killed PlugNplay and RpcEptMapper and some other services on my laptop. My desktop crashed and I didn't bother zero-filling, I just formatted and installed Windows again, and they're reactive! If you really want to disconnect the network cable, do a clean Windows install, and work that way for a while. I'm not sure what you thought I was doing or trying to do; but I assure you the above has been it for a very long time now. The installation logs of a system that has all networking functionality disabled in BIOS; I even took it down to the other end of my building and checked for Wifi with my phone and in a complete dead spot, installed after a zero-fill format...never been online, the installation logs aren't complex. Those files in /proc are normal: one is created for every process that runs. Yes. I didn't run the processes. It is normal that you cannot access them as a normal user, only root can access them. Yes, I was root. And unable to access them. You should be able to 'sudo ls -l /proc/2', etc, once you get sudo working. Oh it always was. Until I'd lose it being too pesky trying to mount an unknown filesystem on my system. Somewhat rudely; as they were never my filesystems. pts listmax, listentries are commands for Andrew File System: http://manpages.ubun..._listmax.1.htmlMost likely you do not use Andrew File System, thus the output from these commands makes no sense. Yeah you're not really getting it. I absolutely did not want to use AFS, But AFS was accessing my system, so I was attempting to query it. As root, you might note. Probably because you've run some chmod -R, or chown -R commands in the wrong place. Oh good god. I've never run chmod or chown commands in my entire life. I barely do anything except query data until my systems crash. I'm tired of conversations like these; are you just wasting my time? Linux has extensive logging, so it should be easy to find out why samba got installed (it could have been installed as a dependency of another package).You can start from /var/log/apt/history.log, and (if you regain sudo) /var/log/apt/term.log. /var/log/messages is also a good place . SO DOES WINDOWS!!! You can also try asking on various Linux forums/IRC channels, I'm sure you'll find someone to help you if you are patient and willing to listen. On Launchpad, I had a genius helping me out and he was mostly concerned about AFS accessing my system; more so than I was - I was all fretting over an unexplainable .local domain which was killing Avahi. But I'm using Windows for a few reasons currently, purely functional as I don't know my way around the Terminal yet. And don't have time to learn, because I keep getting pulled into ridiculous conversations proving what I've PROVEN 15 posts back. It might be that your Windows install media is somehow corrupted, or some program that you install is malicious. Or it might be what the evidence has been saying it is all along. Link to comment Share on other sites More sharing options...
goscuter1 Posted April 29, 2011 Author Report Share Posted April 29, 2011 Also if you are paranoid download the full install DVD, disconnect your network cable, install, and run that way for a while. Then see that nothing happens when you connect the internet cable. I just don't know if you're levelling me or having a laugh. But literally what do you think I've been doing after hours of zero-filling? Just jumping straight on the network? for heaven's sake... Again, if you are paranoid there is tripwire: it creates a secure hash of every file on your system, you can digitally sign it with a key that you keep on removable media, etc. GREAT..! HOW DO I GET IT ON MY SYSTEMS? Or am I supposed to secure hash in the corruption, you understand that's what's happening? The second the control order from the disc is launched, the PCI controllers launch into action and execute their preset commands. It's all there in the installation logs, thousands of them. That looks pretty normal: some USB controllers, Audio controllers, Video controller, etc. The unknown ID just means that its ID isn't in the PCI id database, because noone has added it yet. No. It's not normal. That's utter nonsense. And I'm not going to accept anyone else claiming that 50 virtual terminals on a fresh install or BUILTIN Administrator being unable to do squat or really any of this crap from now on. You think it's normal? Fine, reproduce it. I'm sick of hearing that ridiculous line. Is your windows installed on C: or X:? It jumps around. Quite literally. There's a Q drive on my Dell I can't touch. Doesn't really matter much to me, LIKE IT REALLY DOESN'T CHANGE MUCH FOR ME. Link to comment Share on other sites More sharing options...
goscuter1 Posted April 30, 2011 Author Report Share Posted April 30, 2011 This RedHat discussion seems to deal indirectly with the security issue I'm facing. I don't really understand it fully but 100% this is what's going on... https://bugzilla.red...g.cgi?id=526713 Description of problem: PCIe switches allow peer to peer transactions that are routed by the switch and could bypass the VTd translation hardward potentially causing unexpected behavior in the system. ACS allows the system to force the PCIe switch route all traffic upstream so that the VTd hardware can validate all transactions. The virtualization management tools should not allow direct assignment of a device that is below a non-ACS enabled PCIe switch to a guest. Chris Wright Capabilities: [150] Access Control Services With a standard RHEL 5 lspci, you'd see an unknown PCIe capability such as: Capabilities: [150] Unknown (13) In the above example the '150' is a device specific offset into the PCIeExtended Configuration Space where the Capability is described. So '150' is not special here and may be different for different PCIe functions (just needs to be greater than 0xFF). The PCIe Capability ID for ACS is 0xD (13). So the string "Access Control Services" (using my patched lspci binary) or the string "Unknown (13)" are the important bit here. If you are not using a patched lspci binary it's much more difficult to describe what to look for to see ACS support enabled (easy to see whether it's capable or not by the (lack of) existance of "Capabilities: [???] Unknown(13)"). nb. my problem is that there are virtualisation management tools there in the first place. Virtualisation that I suspect these hidden drivers are related to? I unticked every single one of them except for the Realtek Lan controller and my system was running brilliantly. At least for a short while....they certainly were not 'default', let alone ESSENTIAL. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.